Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-25-2007, 06:03 AM
|
#1
|
Member
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294
Rep:
|
chattr +i disallows sudo
Not sure if this is by design or something I am doing wrong. I have RHEL4 servers with some located in a DMZ. While changing the SSH config to disallow root logins, I have come across an issue, where if I ssh into any of the DMZ servers (as my user account), and try and either "su - root" or "sudo {command}" I get an error. (e.g. "Sorry, sudo must be setuid root." or the password is invalid for root.).
/etc/sudoers is setup correctly as it does work for non DMZ servers.
The root password is correct as I can login directly as root (without ssh locked down).
I have narrowed it down to the fact that our DMZ servers have "chattr +i /etc/passwd /etc/group /etc/shadow" and if I remove this (chattr -i ...) then sudo and su - root works.
Perhaps I don't understand what immutable means exactly, because I thought it meant these files can't be changed and I don't see how sudo or su is changing these files. Does anyone else have this issue? Is this by design? How do other people get around this? It seems like a standard thing to disallow root ssh logins.
thanks
|
|
|
10-25-2007, 07:20 AM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I tried setting the "i" bit on the same files and was able to use su and sudo. Did you take the error message at it's word and check if the sudo program is suid root?
|
|
|
10-25-2007, 11:57 PM
|
#3
|
Member
Registered: Dec 2005
Posts: 52
Rep:
|
Quote:
Originally Posted by zQUEz
Not sure if this is by design or something I am doing wrong. I have RHEL4 servers with some located in a DMZ. While changing the SSH config to disallow root logins, I have come across an issue, where if I ssh into any of the DMZ servers (as my user account), and try and either "su - root" or "sudo {command}" I get an error. (e.g. "Sorry, sudo must be setuid root." or the password is invalid for root.).
/etc/sudoers is setup correctly as it does work for non DMZ servers.
The root password is correct as I can login directly as root (without ssh locked down).
I have narrowed it down to the fact that our DMZ servers have "chattr +i /etc/passwd /etc/group /etc/shadow" and if I remove this (chattr -i ...) then sudo and su - root works.
Perhaps I don't understand what immutable means exactly, because I thought it meant these files can't be changed and I don't see how sudo or su is changing these files. Does anyone else have this issue? Is this by design? How do other people get around this? It seems like a standard thing to disallow root ssh logins.
thanks
|
i = immutable..
brother, please remove it
chattr -i /etc/sudoers
|
|
|
All times are GMT -5. The time now is 11:57 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|